Various forum members have already posted about fraud they suspect can be traced back to FrontGate here. While none of us can prove the exact source of where fraudsters stole our CC info, after much research and due diligence, I believe there is more merit to each of our suspicions than I wish were true.

I will first qualify the claims below by saying they are all based on the conclusions of an outsider without true visibility into FrontGate policies, processes, or operations. Instead, they are based on conversations with Visa, FrontGate, my bank, American Express, and online information provided by each of those parties.

Here’s a list of companies who choose to be PCI compliant and have a Qualified Security Assessor (QSA) independently report to VISA, compliance on an annual basis. While not all ticket sellers are on the list, familiar names that are include Ticketmaster, Tickets.com, and TicketNetwork. These companies are proactively telling their consumers that their credit card processing is safe, secure, and compliant. If in fact, FrontGate is complying with both PCI and the individual credit card company standards, it would be nice if they could provide this compliance to their consumers so we could dismiss these suspicions.

So, onto my findings:

On the surface it appears that FrontGate is violating PCI and Visa Merchant Guidelines through the storing of CVV2 and CID codes. Those are the 3 and 4 digit codes on the back of your Visa and the front of your Amex that are used for “Card Absent Transactions” to help ensure the card is in possession of the purchaser at the time of an online, phone, or mail-order transaction. Because of the sensitivity of these codes, Visa and PCI clearly state “A cardholder’s CVV2 may never be stored as a part of order information or customer data. The storage of CVV2 is strictly prohibited subsequent to authorization”, which reduces the risk that both the CC# along with CVV2 falls into the wrong hands. A reasonable time to hold the code for authorization is up to 24 hours given a reasonable business purpose.

To be handy, FrontGate has provided us with a “My Account” page, where we can update our billing and STORED CREDIT CARD INFORMATION, which includes a field for CVC/CVV Code. As we know, FG does NOT transmit this information right away, but instead processes this information in batch once per month and then again 10 or so days later for those CCs that were declined.

I’d suggest they may be validating the card at the time of account update and then dropping the CVV2 code, but when I attempted a fake CVV2 code, the page indicated ‘Your account has been updated’, further supporting the idea they save this code until the monthly batch. Maybe FG is collecting the CVV2 code, but not using it at all? If that’s the case, then they should drop the field on the account update page.

For recurring payment plans, Visa (and others such as Amex) offer the Visa Account Updater (see card acceptance guidelines), which allows for submittal of the CVV2 code during the initial payment and allows for the bank to update the merchant automatically of CC changes. VAU doesn’t appear to be used by FG, but rather separate transactions are processed each month, further supporting that CVV2s are being submitted monthly from a stored source. VAU would provide for a much more secure option.

I called FrontGate and spoke with different customer service agents (who may or may not know what they are talking about) and each claimed that all of this information is stored online and processed the following month. Asked specifically about the CVV2 code, they said “yes, all of it”. None of them seemed to be familiar with laws preventing the storage of the code.

Credit Card Information: We store all information that we collect through the ordering process excluding the actual credit card number. We do NOT store credit card numbers in our database, nor is the credit card number stored at any point on our server, it is transmitted directly to gateway (currently authorize.net). Please click here to review their privacy and security policies.

This is further indication that security / privacy for the Coachella Payment Plan wasn't top priority considering they didn't even bother to update the disclosure relevant to the new process.

And finally, if you check your "My Account" page on FG, you'll see that the URL secure.independenttickets.com is used. Google this, and you start getting people’s private information like receipts with people’s address and name for Electric Forest, Snowglobe, Pretty Lights, and various festivals. I have no idea what this is all about, but in no way does it support that FG is secure or even complying with their own privacy policy.

I sent an email to GV about this, but haven't heard back. I really hope I'm wrong and none of this is true, and that FG is just doing a bad job of communicating their security compliance to its customers.

09-19-2012, 09:56 PM

euphonicfiend

Re: FrontGate Tickets - Credit Card Security Suspicions

Wow! I hope you are wrong for all of our sakes! Very informative, thank you!

09-19-2012, 10:51 PM

LickTheLizzard

Re: FrontGate Tickets - Credit Card Security Suspicions

Someone used my credit card info about 2 weeks ago. I could not figure out how someone in Chicago was paying for parking with my debit card, but it looks like FrontGate could be the source. Luckily my bank caught it.

09-20-2012, 05:32 AM

gaypalmsprings

Re: FrontGate Tickets - Credit Card Security Suspicions

I clicked on your link and was shocked to find so many current receipts. While the credit card info wasn't listed, the order number and ALL the customer's personal info is displayed (name, billing address, shipping address, date of purchase, phone number). Not just Front Gate, but Ducat King as well. I remember liking Ducat King one year. Wes, thanks for posting. You should consider filing a complaint with authorities.

09-20-2012, 08:53 AM

JorgeC

Re: FrontGate Tickets - Credit Card Security Suspicions

Thanks for the heads up. I review my debit card on a pretty regular basis, but i'll be scrutinizing more closely knowing that FG has a (possible) lapse in their security.

09-20-2012, 01:48 PM

PlayaDelWes

Re: FrontGate Tickets - Credit Card Security Suspicions

It kinda flew under the radar, but AEG (in a joint venture with C3) purchased Front Gate Tickets last week.

Hopefully that means as part of a larger organization, payment security is of higher priority.

09-20-2012, 02:41 PM

amyzzz

Re: FrontGate Tickets - Credit Card Security Suspicions

Holy fucking shit on those receipts. Just shit.

09-20-2012, 02:51 PM

captncrzy

Re: FrontGate Tickets - Credit Card Security Suspicions

Jesus. Full names and addresses.

09-20-2012, 03:10 PM

bobert

Re: FrontGate Tickets - Credit Card Security Suspicions

This is disturbing.

09-26-2012, 08:29 AM

ameeps

Re: FrontGate Tickets - Credit Card Security Suspicions

I've never liked frontgate. I now like them less.

11-05-2012, 01:19 PM

theStank

Re: FrontGate Tickets - Credit Card Security Suspicions

I am having some MAJOR MF'N ISSUES with frontgate tickets right now in regrads to my 2 GA Eldorado Lake Passes!! They are telling me that there is an AVS mismatch and that they cannot take out this months payment (november). I have the funds available on CC for them take and my CC company is telling me that the transaction is pending but are waiting for frontgate to send the electronic reciept in order for MasterCard to release the funds. Frontagate is telling me that the billing addresses no longer match up? I have not changed ANYTHING in regards to any info for my account with frontgate. Frontgate is telling me that its on my CC side and that I need to clear this. Frontgate had NO PROBLEMS at all taking out the past payments from my CC until now. Tried to contact thye fine people at Coachella in regrds to this mess, but I am not sure I am able to get thru to the proper people. ANYONE know what I can do or WHO I can contact in regards to this mess. Somebody from Coachella and not frontgate. Dealing with frontgate has become a nightmare. Anyways............. help?!?!

11-05-2012, 02:35 PM

amma_sol

Re: FrontGate Tickets - Credit Card Security Suspicions

holy crap. full on receipts. not cool.

11-06-2012, 04:16 PM

theStank

Re: FrontGate Tickets - Credit Card Security Suspicions

Quote:

Originally Posted by amma_sol

holy crap. full on receipts. not cool.

shit its the language police! problem resolved........ thanks for all the help YO!!

11-09-2012, 10:41 PM

know ID ya

Re: FrontGate Tickets - Credit Card Security Suspicions

Remember folks, it takes more than a name and an address to get a credit card. It takes a Social Security Number. As long as that information is not stored or shared, your identity is safe.

Credit card companies protect your identity. You can protest any purchase, and you are not liable for those purchases. Credit card companies make a lot of money on interest, so they don't make you pay for the purchases you don't make. Sure, it's a pain in the ass every time your card is cancelled and you have to update your automatic bill pays to reflect a new card, but they are on top of this more than you or I. I've had my credit card cancelled and replaced at least twice per year because I made a transaction with a supplier who wasn't deemed credible. Your credit card company isn't out to fuck over your identity. They want your business.

The takeaway here is to monitor your online accounts, and be quick to point out discrepancies. Thanks for the information Playa, but let's not all freak out right away. We are protected as long as someone doesn't have our SSN#. SSN#'s unfortunately get passed around a lot, but not because of sketchy companies like Ticketmaster or Frontgate.

EDIT: For the purpose of this post, credit card equals debit card. I understand it is even a bigger pain in the ass to protest debit card transactions, but know your bank has your back more than a ticket supplier.